Purpose
Vulnerability management is the process of searching for, prioritizing, and remediating vulnerabilities in enterprise systems and software. This Policy provides the processes and procedures for ensuring enterprise assets do not contain vulnerabilities. This policy applies to all departments and all assets connected to the Revisio system and related sub-systems, websites, APIs.
Responsibility
The IT unit of BN Digital Ltd. (Platform Operator) is responsible for all vulnerability management functions. Specifically, administrators are responsible for assessment and application of patching. Necessary vulnerability information must be relayed to other business units within the enterprise such as finance, accounting, and cybersecurity as required or needed. IT is responsible for informing all users of their responsibilities in the use of any assets assigned to them, such as applying updates in a regular manner or restarting their systems.
Objectives
- Protect customer data from unauthorized access, disclosure, alteration, and destruction.
- Ensure the Revisio platform with its sub-systems is resilient against security threats and vulnerabilities.
- Establish a framework for identifying, assessing, and mitigating security risks.
Data Security
Data Encryption
Data at Rest: All customer data stored within the Revisio is encrypted using industry-standard encryption algorithms.
Data in Transit: Data transmitted between the Revisio platform and customers is encrypted using secure protocols.
Access Controls
Authentication: The process leverages Google's Single Sign-on mechanism that has multi-factor authentication (MFA) for all user accounts accessing the platform.
Authorization: Revisio uses the principle of least privilege, granting users access only to the data and resources necessary for their role.
Account Management: IT unit review and update user access rights on a regular basis. Accounts that are no longer in use are deactivated.
Data Backup and Recovery
IT unit performs regular backups of all critical customer data and stores backups in a secure, encrypted location.
IT unit tests backup and recovery procedures to ensure data can be restored in the event of data loss or corruption regularly.
Vulnerabilities Management
Vulnerability Management Process consists of four sequential steps:
Vulnerability Identification
Regular Scanning: IT unit conducts regular vulnerability scans of Revisio platform to identify potential security weaknesses.
Penetration Testing: IT unit performs periodic penetration testing to identify and address security vulnerabilities.
Automatic Static Code Analysis: IT unit uses tools like Snyk and DependaBot to help spot vulnerabilities in Revisio's source code dependencies.
Vulnerability Reporting: IT unit monitors communication channels to identify vulnerabilities reported by customers or white hackers.
Vulnerability Assessment
Risk Rating: IT unit classifies identified vulnerabilities based on their severity and potential impact on the platform and customer data.
Prioritization: IT unit prioritizes the remediation of vulnerabilities based on their risk rating, with critical and high-risk vulnerabilities addressed first.
Vulnerability Remediation
Patch Management: IT unit makes their best to meet the following SLAs: 1 day for the first response, 5 days to triage the vulnerability, 10 days to resolve the vulnerability and deploy the solution.
Configuration Management: IT unit reviews and updates system configurations to align with security best practices.
Mitigation: Where immediate patching is not possible, mitigating controls to reduce the risk posed by the vulnerability would be implemented.
Monitoring and Reporting
Continuous Monitoring: IT unit implements continuous monitoring tools and processes to detect and respond to security incidents in real-time.
Reporting: IT unit maintains a log of all identified vulnerabilities, actions taken, and their resolution status. IT unit reports significant security incidents to senior management and affected customers promptly.
Security Awareness and Training
Platform Operator provides regular security training and awareness programs for all employees and contractors.
Platform Operator educates staff on the importance of data security, common threats, and best practices for safeguarding customer data.
Platform Operator ensures that all personnel are aware of their roles and responsibilities in maintaining the security of Revisio platform.
>Data Security & Vulnerabilities Management Policy Updates
Platform Operator regularly reviews and updates this policy to ensure it remains aligned with industry standards, regulatory requirements, and emerging security threats.
Policy Enforcement
Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contracts.